North Korea-backed hackers were behind last month’s supply chain attack on cryptocurrency companies, according to enterprise phone provider 3CX.
3CX, a business voice, video, and messaging provider, investigated the attack with Mandiant. Hackers infiltrated hundreds of thousands of organizations’ corporate networks using the company’s desktop phone software.
On Tuesday, 3CX chief information security officer Pierre Jourdan said their investigation confirmed that North Korean hackers were behind the attack.
Jourdan said Mandiant has linked the 3CX intrusion and supply chain attack to UNC4736. “Mandiant is confident UNC4736 has a North Korean nexus.”
Last week, CrowdStrike linked the 3CX breach to Labyrinth Chollima, a subgroup of the Lazarus Group, which stealthily hacks cryptocurrency exchanges to fund its nuclear weapons program. Kaspersky Lab in Russia also blamed North Korea for the 3CX breach.
In its analysis of the attack, Kaspersky said the hackers deployed a backdoor called “Gopuram” onto infected systems and have “a specific interest in cryptocurrency companies.” Kaspersky noted that attackers used Gopuram with “surgical precision” on fewer than ten machines.
3CX CEO Nick Galea stated in a forum post last week that the company is only aware of “a handful” of malware-triggered cases. The attack’s impact and 3CX’s compromise are unknown. 3CX claims 600,000 business customers and 12 million daily users.